On Tue, Oct 13, 2015 at 11:02 AM, Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > On Tue, Oct 13, 2015 at 10:34 AM, Sander Smeenk <ssmeenk@xxxxxxxxxxxx> wrote: >> Quoting Trond Myklebust (trond.myklebust@xxxxxxxxxxxxxxx): >> >>> > I've experimented with different capabilties, but CAP_DAC_OVERRIDE is >>> > not enough. I'd very much like to hear if it is possible for this to >>> > work on NFS like it does on local storage. >>> This will not work on NFS. The server, which enforces permissions, has >>> no way to know what capabilities your process has on the client. >> >> Thanks. I feared this answer. But i understand that the NFS-server cant >> know if the process on the NFS-client has CAP_DAC_READ_SEARCH >> capabilities set. >> >> Would setfsuid() help anything in this case? Or is it just a big no-go? setfsuid() would allow you to set a user up with root privileges on the fs. That's better than giving overall root privileges, but is still a risk, since a user could use it to overwrite /etc/passwd etc. > Are you looking for something like labeled NFS that supports > capabilities? I think Redhat7 has SElinux labeled NFS support. > The labeled NFS implementation is client enforced and confers no extra privileges on the server. Plus (please correct me if I'm wrong), I believe NetApp has yet to announce support for labeled NFS in OnTAP. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
